go: update to 1.24.12, 1.25.6 (security)
These releases include 6 security fixes following the security policy:
- archive/zip: denial of service when parsing arbitrary ZIP archives
archive/zip used a super-linear file name indexing algorithm that is
invoked the first time a file in an archive is opened. This can lead
to a denial of service when consuming a maliciously constructed ZIP
archive.
Thanks to Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.
- net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected
amount of memory when provided a large number of key-value pairs.
[98 lines not shown]
lazygit: updated to 0.58.1
0.58.1
Enhancements
Update search position (match x of y) when changing the selection in a list view
Fixes
When doing ctrl-f, and the resulting commit is not visible, scroll it into view
Fix pasting multi-line text into the commit description
Fix keypad keys, and pasting emojis in Windows Terminal
Don't log the "git ls-remote" call when opening a PR
Fix rendering artefacts after double-width characters (e.g. "⚠️") on some terminals
dnsmasq: updated to 2.92
version 2.92
Redesign the interaction between DNSSEC validation and per-domain
servers, specified as --server=/<domain>/<ip-address>. This should
just work in all cases now. If the normal chain-of-trust exists into
the delegated domain then whether the domain is signed or not, DNSSEC
validation will function normally. In the case the delegated domain
is an "overlay" on top of the global DNS and no NS and/or DS records
exist connecting it to the global dns, then if the domain is
unsigned the situation will be handled by synthesising a
proof-of-non-existence-of-DS for the domain and queries will be
answered unvalidated; this action will be logged. A signed domain
without chain-of-trust can be validated if a suitable trust-anchor
is provided using --trust-anchor. This change should be backwards
compatible for all existing working configurations; it extends the
space of possible configurations which are functional.
Fix a couple of problems with DNSSEC validation and DNAME. One
[60 lines not shown]
py-meson_python: updated to 0.19.0
0.19.0
Drop Python 3.8 support.
Development-related extras were moved to dependency groups.
Add support for targeting the iOS platform.
The strip binary is now included in synthesized cross files.
Documentation improvements: add more examples for specific use cases, and a contributing guide.
Use trusted publishing with digital attestations to upload release artifacts to PyPI.
geography/gpsd: Update to 3.27.5
Upstream NEWS:
3.27.5: 14 Jan 2026
Correctly bump API Version to 16.1
cgps checks for matching API version.
3.27.4: 30-Dec-2025
Bump API Version to 16.1
3.27.3: 29-Dec-2025
Fix API major value. 3 not 0.
3.27.2: 23 Dec 2025
Fix a gpsd.rules warning. The warning drew complaint, nothing more.
textproc/rumdl: import rumdl-0.0.217
Packaged in wip by pin@ and myself.
A high-performance Markdown linter, written in Rust.
rumdl is a high-performance Markdown linter and formatter that helps
ensure consistency and best practices in your Markdown files.
Inspired by ruff 's approach to Python linting, rumdl brings similar
speed and developer experience improvements to the Markdown ecosystem.
py-uv py-uv-build: updated to 0.9.25
0.9.25
Python
Add CPython 3.15.0a4
Upgrade Tcl/Tk used by CPython to 9.0
Enhancements
Add --compile-bytecode to uv python install and uv python upgrade to compile the standard library
Allow disabling exclude-newer per package
Broadcast WM_SETTINGCHANGE on uv tool update-shell
Preview features
Detect workspace from uv run target
[7 lines not shown]
